Troj/Agent-ADWN

Category: Viruses and Spyware Protection available since:25 Sep 2013 01:58:50 (GMT)
Type: Trojan Last Updated:25 Sep 2013 21:51:57 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-ADWN include:

Example 1

File Information

Size
142K
SHA-1
01d97e21acd858cfec2c14d818c2277d6c95c6fd
MD5
7b69446bcf45f77586a072ae46dce40c
CRC-32
c7fd55e9
File type
Windows executable
First seen
2011-09-04

Example 2

File Information

Size
52K
SHA-1
088911f677c6ed629fd000be20cc004162bd5a4c
MD5
57379a8deb9c608827ebb1c52c38de4c
CRC-32
4f90a272
File type
Windows executable
First seen
2011-06-28

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\135640.exe
    Size
    515K
    SHA-1
    47a2574f120800c3259e39f50096de3f1d92bcd3
    MD5
    817a09d858cc74535a56ccf1a5078f5d
    CRC-32
    446a60cc
    File type
    Windows executable
    First seen
    2013-09-22
Registry Keys Created
  • HKCU\Software\WinRAR
    0D3115302DE52195C89299036B11968B
    tr□Pe□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Google Update
    "c:\Documents and Settings\test user\Local Settings\Application Data\Google\Desktop\Install\{8b2e7cc0-3175-028b-9a2b-805595885191}\???\???\???\{8b2e7cc0-3175-028b-9a2b-805595885191}\GoogleUpdate.exe" >
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    DeleteFlag
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    ErrorControl
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum
    NextInstance
    0x00000000
Processes Created
  • c:\docume~1\support\locals~1\temp\135640.exe
  • c:\docume~1\support\locals~1\temp\139890.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://j.maxmind.com/app/geoip.js
  • http://tableofcontentsadministered.biz/soft33.exe
  • http://tableofcontentsadministered.biz/soft44.exe
IP Connections
  • 1.9.59.196:16464
  • 105.224.111.111:16464
  • 109.189.249.72:16464
  • 114.161.160.241:16464
  • 122.34.95.102:16464
  • 139.228.19.59:16464
  • 158.181.253.119:16464
  • 161.53.202.134:16464
  • 171.207.49.92:16464
  • 176.102.181.157:16464
  • 178.167.196.109:16464
  • 182.188.131.75:16464
  • 182.237.189.129:16464
  • 186.50.6.115:16464
  • 188.25.120.62:16464
  • 188.37.183.174:16464
  • 189.197.6.165:16464
  • 190.117.242.4:16464
  • 190.205.207.197:16464
  • 190.218.202.127:16464
  • 194.165.17.4:53
  • 197.153.20.138:16464
  • 2.184.228.58:16464
  • 213.133.17.151:16464
  • 24.54.220.52:16464
  • 31.11.88.89:16464
  • 36.230.24.203:16464
  • 37.127.162.210:16464
  • 37.239.221.8:16464
  • 41.218.38.25:16464
  • 41.58.60.112:16464
  • 46.120.209.43:16464
  • 46.33.40.24:16464
  • 46.55.49.111:16464
  • 5.36.232.148:16464
  • 58.8.17.128:16464
  • 60.234.54.236:16464
  • 72.252.170.22:16464
  • 75.128.83.212:16464
  • 8.8.8.8:53
  • 84.245.216.88:16464
  • 85.100.124.99:16464
  • 85.225.101.46:16464
  • 86.101.156.163:16464
  • 87.20.80.84:16464
  • 87.224.241.90:16464
  • 88.203.30.35:16464
  • 88.222.198.114:16464
  • 89.146.66.153:16464
  • 89.218.238.42:16464
  • 89.99.62.111:16464
  • 91.235.38.68:16464
  • 93.103.63.167:16464
  • 93.184.91.0:16464
DNS Requests
  • j.maxmind.com
  • tableofcontentsadministered.biz

Example 3

File Information

Size
189K
SHA-1
136c5549dcb7fa6ca4a991dc67863a61eadc210e
MD5
7822a4592dd8240385526fe284f5fda5
CRC-32
e05260ce
File type
Windows executable
First seen
2007-08-20

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\Fonts\i3E8p3h.com
  • C:\WINDOWS\system32\i3E8p3h.com
  • c:\Documents and Settings\test user\Local Settings\Application Data\i3E8p3h.exe
Dropped Files
  • C:\WINDOWS\ime\imjp8_1\IMJPMIG .exe
  • C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE
    Size
    189K
    SHA-1
    6c80a5ff322d6c15b2d72da23da24e984f8a434c
    MD5
    d959b1d86482e0c0cb46e49614a69951
    CRC-32
    3e1547dc
    File type
    Windows executable
    First seen
    2013-09-23
  • C:\bin\rm_disk_mount .exe
Modified Files
  • C:\bin\rm_disk_mount.bat
    • Changed the file contents
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Direct3D
    LA
    0x00000261
  • HKCU\Software\Microsoft\Internet Explorer\Main
    NoProtectedModeBanner
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    2500
    0x00000003
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    WarnOnZoneCrossing
    0x00000000
Processes Created
  • c:\windows\ime\imjp8_1\imjpmig .exe
  • c:\windows\ime\imjp8_1\imjpmig.exe
  • c:\windows\system32\schtasks.exe
IP Connections
  • 94.228.209.132:53
DNS Requests
  • 2.0.0.609.4242497517.3397364156.0.1.2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.method.in
  • 2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.0.0.f3.method.in
  • 609.2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.ofi.method.in

download Try Sophos products for free
Download now